CVE-2023-23314
Description
An arbitrary file upload vulnerability in zdir v3.2.0 allows attackers to upload a crafted .ssh file via path traversal, leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An arbitrary file upload vulnerability in zdir v3.2.0 allows attackers to upload a crafted .ssh file via path traversal, leading to remote code execution.
Vulnerability
An arbitrary file upload vulnerability exists in the /api/upload endpoint of zdir version 3.2.0. The path validation regex is insufficient, allowing directory traversal sequences like /../ to bypass restrictions. An attacker can upload a file with a chosen path, and the file name is not sanitized. This enables uploading a authorized_keys file to the .ssh directory of the SSH user running the application, or other malicious files elsewhere. The issue is documented in reference [1].
Exploitation
An attacker must first have valid authentication credentials (X-Token header) to access the /api/upload endpoint. They then exploit a two-step process: first, create the .ssh directory using the /api/dir/create endpoint with a path traversal payload (path=/../../../../&name=.ssh) to write to the target user's .ssh directory. Second, upload a crafted authorized_keys file via /api/upload, again using path traversal in the upload path to place the file in the .ssh directory. The steps and HTTP requests are detailed in reference [1].
Impact
Successful exploitation allows an attacker to inject an SSH public key into the victim's authorized_keys file, enabling passwordless SSH login as the application user. This leads to full remote code execution (RCE) with the privileges of the application process. The impact includes complete compromise of the server's confidentiality, integrity, and availability.
Mitigation
As of the available references, no patched version has been released for zdir [1]. The vendor was notified via the GitHub issue, but no fix is yet available. Users should restrict network access to zdir and monitor for any updates. If the application is not required, it should be disabled. No workaround is currently documented.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient path sanitization in the `/api/upload` and `/api/dir/create` endpoints allows directory traversal, enabling an attacker to write an SSH authorized_keys file outside the intended application directory."
Attack vector
An attacker first authenticates (the interface requires login credentials) and then uses the `/api/dir/create` endpoint with a `path` parameter containing directory traversal sequences (e.g., `path=/../../../../&name=.ssh`) to create a `.ssh` directory in an arbitrary location on the server [ref_id=1]. Next, the attacker sends a POST request to `/api/upload` with the `path` parameter set to the traversed `.ssh` directory path and uploads a file named `authorized_keys` containing the attacker's SSH public key [ref_id=1]. The flawed regex in the upload method allows the `/../` traversal to bypass path validation, and because the directory was already created, the upload succeeds [ref_id=1]. The attacker can then connect to the server via SSH using their private key.
Affected code
The vulnerability exists in the `/api/upload` component of zdir v3.2.0. The `controller.Upload` method has a flawed regex that validates the upload path, allowing `/../` sequences to bypass the check [ref_id=1]. Additionally, the `controller.Mkdir` method and `!V_dir` function only verify whether the provided path is a folder, without sanitizing directory traversal sequences [ref_id=1].
What the fix does
The advisory does not include a published patch or code fix. The remediation guidance implied by the report is to fix the regex used in the `controller.Upload` method so that directory traversal sequences like `/../` are properly rejected, and to sanitize or validate the `path` parameter in the `controller.Mkdir` method to prevent creation of directories outside the intended application directory [ref_id=1]. No official fix has been confirmed in the available materials.
Preconditions
- authAttacker must have valid authentication credentials (login and X-Token) for the zdir web interface
- configThe zdir application must be running with file system permissions allowing directory creation and file writes under the target path (e.g., /home/kali/.ssh)
- configThe target server must have SSH enabled and accept public key authentication for the user whose .ssh directory is targeted
- networkAttacker must have network access to the zdir web interface (default port 6080)
Reproduction
1. Authenticate to the zdir web interface and obtain a valid X-Token and X-Cid. 2. Create a `.ssh` directory via directory traversal: `POST /api/dir/create` with body `path=/../../../../&name=.ssh` and appropriate headers including X-Token. 3. Upload an SSH public key as `authorized_keys`: `POST /api/upload` with multipart form-data containing `path=/../../../../../../home/kali/.ssh` and a file field named `file` with filename `authorized_keys` containing an SSH public key. 4. Use the corresponding SSH private key to connect to the server via SSH. [ref_id=1]
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.